Troubles while setting up a server and Nextcloud instance

TheBlackBeans · December 4, 2025, 5:12pm

I’m trying to setup a server hosting a nextcloud instance, with the cospend app enabled, hosted on a OVH VPS. Let’s assume the domain name for that server is foo.bar.

I have several issues:

The VPS has both an IPv4 and an IPv6, and the DNS is configured to point the domain name to both these IPs. Yet, I can’t seem to make it work with IPv6:
- ping -6 foo.barresolves correctly the IPv6 address, but hangs forever
- ssh -6 root@foo.bar hangs forever
- the -4 counterpart of both these commands work as expected
I can connect to the nextcloud instance via the web client, but I can’t get it to work with android or desktop clients. On the Android client, it redirects me to the web browser, where I can log in, then I have to click on a button that says “grant access”, and when I do, it spins forever. On the desktop client, I put https://foo.bar in the URL field, and (after the client complains about the certificate), it says “The returned server URL does not start with HTTPS despite the login URL started with HTTPS. Login will not be possible because this might be a security issue. Please contact your administrator.”
When I connect on the web client as an admin, I try to install the Cospend application by clicking on “+ Apps”, but I can’t find it there, yet that seems to be the indicated way to install applications.

TLATER · December 5, 2025, 6:54am

Can you share your configuration, and what VPS host you’re using? Sounds like networking and nginx config is messed up. It’s also worth checking that DNS resolves to the correct addresses with dig- it could well be that your local IPv6 is broken, not your server’s.

As for apps, I suggest using the option to install them declaratively: https://search.nixos.org/options?channel=25.11&show=services.nextcloud.extraApps&from=50&query=Services.nextcloud

TheBlackBeans · December 5, 2025, 2:16pm

The full configuration can be found at

My VPS host is OVH.

For the record, I’ve tried disabling IPv6 on the machine and removing the AAAA record, and that doesn’t help making the clients connect.

TLATER · December 5, 2025, 2:39pm

As per the nextcloud docs, you need to set the overwriteprotocol if it is behind a proxy and you’re using https. You’ll want to set these two options:

I also set the forceSSL setting on my nginx virtualHost for nextcloud; using non-SSL http makes little sense for an authenticated service IMO.

I haven’t used OVH, so I’m not sure if DHCP is sufficient for their networking; double check with their docs. That said, checking if you can dig up your IPv6 address is probably still a good smoke test. But sounds like you don’t actually care about IPv6, just nextcloud being broken?

TLATER · December 5, 2025, 2:42pm

Oh, sorry, huh. Does the firewall block IPv6? Have you checked dmesg -w when you ping?

hansemschnokeloch · December 5, 2025, 3:26pm

Hi,

ipv6 isn’t configured by default on OVH VPS servers

https://help.ovhcloud.com/csm/fr-vps-configuring-ipv6?id=kb_article_view&sysparm_article=KB0047576

check with command ip a on the server, you probably will get something like this with only fe80 for ipv6

2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:9d:69:d2 brd ff:ff:ff:ff:ff:ff
altname enp0s3
altname enxfa163e9d69d2
inet xxx.xxx.xxx.xxx/32 scope global dynamic noprefixroute ens3
valid_lft 86250sec preferred_lft 86250sec
inet6 fe80::6023:d593:5441:46e9/64 scope link noprefixroute
valid_lft forever preferred_lft forever

TheBlackBeans · December 16, 2025, 11:23am

Well spotted, this fixed the issue for the android client. Furthermore, I was able to install applications declaratively without problems.

Yes, there is still an issue: I use nixos’ acme module to fetch a certificate, but the certificate it provides is not trusted by clients. Hence, the desktop client refuses to log in into my nextcloud instance. My ACME configuration is as follows

{ pkgs, config, ... }:
let
  domain = config.networking.domain;
in {
  security.acme = {
    defaults.webroot = "/var/lib/acme/acme-challenge/";
    acceptTerms = true;
    defaults.email = "admin@${domain}";
    certs.${domain} = {
      group = config.services.nginx.group;
      extraDomainNames = [ "*.${domain}" ];
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 ];

  services.nginx = {
    enable = true;
    virtualHosts.${domain} = {
      forceSSL = true;
      useACMEHost = domain;
      locations."/.well-known/".root = "/var/lib/acme/acme-challenge/";
    };
  };
}

TheBlackBeans · December 16, 2025, 11:24am

Indeed, this is the issue. Do I just need to declare an interface with the right IP address to configure IPv6?

TLATER · December 16, 2025, 11:59am

NixOS generates a preliminary self-signed certificate, which is replaced once the letsencrypt request succeeds.

If that doesn’t happen, the self-signed cert stays in place and your clients don’t trust it. If you look at your logs you’ll probably see a failing certificate service.

TheBlackBeans · December 17, 2025, 11:54am

Indeed, that was it: I tried obtaining a certificate for *.mydomain.net with an http challenge, which apparently is not allowed. Changing this solved the issue. Thanks!